fix(security): Q2 Chunk 1 — 密钥外部化与启动强制检查

- default.toml 敏感值改为占位符，强制通过环境变量注入 - 启动时拒绝默认 JWT 密钥和数据库 URL - 移除 super_admin_password 硬编码 fallback - 移除 From<AppError> for AuthError 反向映射，5 处调用点改为显式 map_err - .gitignore 添加 .test_token 和测试产物
2026-04-17 17:42:19 +08:00
parent 2bd274b39a
commit 39a12500e3
10 changed files with 43 additions and 42 deletions
--- a/crates/erp-auth/src/service/dept_service.rs
+++ b/crates/erp-auth/src/service/dept_service.rs
@@ -190,7 +190,8 @@ impl DeptService {
            }
        }

-        let next_ver = check_version(req.version, model.version)?;
+        let next_ver = check_version(req.version, model.version)
+            .map_err(|e| AuthError::Validation(e.to_string()))?;

        let mut active: department::ActiveModel = model.into();

--- a/crates/erp-auth/src/service/org_service.rs
+++ b/crates/erp-auth/src/service/org_service.rs
@@ -173,7 +173,8 @@ impl OrgService {
            }
        }

-        let next_ver = check_version(req.version, model.version)?;
+        let next_ver = check_version(req.version, model.version)
+            .map_err(|e| AuthError::Validation(e.to_string()))?;

        let mut active: organization::ActiveModel = model.into();

--- a/crates/erp-auth/src/service/position_service.rs
+++ b/crates/erp-auth/src/service/position_service.rs
@@ -165,7 +165,8 @@ impl PositionService {
            }
        }

-        let next_ver = check_version(req.version, model.version)?;
+        let next_ver = check_version(req.version, model.version)
+            .map_err(|e| AuthError::Validation(e.to_string()))?;

        let mut active: position::ActiveModel = model.into();

--- a/crates/erp-auth/src/service/role_service.rs
+++ b/crates/erp-auth/src/service/role_service.rs
@@ -171,7 +171,8 @@ impl RoleService {
            .filter(|r| r.tenant_id == tenant_id && r.deleted_at.is_none())
            .ok_or_else(|| AuthError::Validation("角色不存在".to_string()))?;

-        let next_ver = check_version(version, model.version)?;
+        let next_ver = check_version(version, model.version)
+            .map_err(|e| AuthError::Validation(e.to_string()))?;

        let mut active: role::ActiveModel = model.into();

--- a/crates/erp-auth/src/service/user_service.rs
+++ b/crates/erp-auth/src/service/user_service.rs
@@ -200,7 +200,8 @@ impl UserService {
            .filter(|u| u.tenant_id == tenant_id && u.deleted_at.is_none())
            .ok_or_else(|| AuthError::Validation("用户不存在".to_string()))?;

-        let next_ver = check_version(req.version, user_model.version)?;
+        let next_ver = check_version(req.version, user_model.version)
+            .map_err(|e| AuthError::Validation(e.to_string()))?;

        let mut active: user::ActiveModel = user_model.into();